MediaWiki 1.27.4
23 November 2017
MediaWiki version 1.27.4 is now available (security release).
Upgrading to MediaWiki 1.27.4
MediaWiki 1.27.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.27.4 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.27.4
This is a security and maintenance release of the MediaWiki 1.27 branch.
Security
- Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
- BotPassword login attempts weren't throttled.
- Reflected File Download from api.php.
- Do not reveal if user exists during login failure.
- Ensure Message::rawParams can't lead to XSS.
- Make anchor for headlines escape > and <.
- Protect vendor folder with .htaccess.
- Remove PHPUnit file with known RCE if exists in update.php.
- XSS in langconverter when regex hits pcre.backtrack_limit.
- Handle -{}- syntax in attributes safely.
Bug Fixes
- Better handling of jobs execution in post-connection shutdown.
- Support conditionally registered namespaces.
- Fix highlighting for phrase queries and phrase search.
- Provide credits information to callbacks.
- Allow namespaces defined in extension.json to be overwritten locally.
- Allow SVGs created by Dia to be uploaded.
- Password reset link is no longer shown when no reset options are available.
- Various backports for PHP 7.0 and 7.1 support.
- $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC policies.
- DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core.
- Unbreak Postgres Updater when setting defaults for a column.
- Remove use of implicitGroupBy() in ActiveUsersPager.
- Allow putting the app ID in the password for bot passwords.
- Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.